I am currently working on a crackme and I have to find the HOTKEY in order to "crack it".

My question is what does getkeynametexta do????...and is this a good starting point?

btw....I'm a newbie

Hi,

getkeynametext: I have never used this function before, but I have read on the documentation that is used in order to retrieve a string that represents the name of the key.
Maybe, it's not the function you need in order to solve your crackme. You would have to try to identify when and where the crackme defines the key; RegisterHotKey may be a good starting point because it defines an hotkey.

Can you attach the crackme? It may be the best way to help you :-)

Ciao,
ZaiRoN

Thanks for the help, here is the target file. I would get like to get started in the right direction.I could not attach the .nfo files because it said the file was then too big to be posted, the current file size is 159kb

Hi,

I moved the thread, now, another mini project can begin :-).
It seems to be a very unusual crackme :-)
Can you post the rules and/or what we have to do in order to solve the crackme?

Thx,
ZaiRoN

This is what all that was included in the crackme.It's a text file I left the nfo out cause all it is it a text pic of his name "Marchare".Any way here is the story and rules.


MarchHaRe's 2nd crackme ..

Storyline:
You are the commander of the ESS Stargoose and flying
through space as you suddenly realize you forgot how
to activate the worm-hole device which could open
up a "tunnel" for you to escape to another world ...

Hint: You only have a few tries before the worm-hole devices destroyes itself

Your Mission:
Find the key to open the wormhole and send the solution
and how ya got to it to:
marchhare@woodydrn.com

Bruteforcing it by pressing all keys does not count as a solution ;-)

Hi,Hotkey, are you sure? Seems like the program wants only a sequence of simple keys to be pressed.

I don't passed too much time on this target but (maybe) these informations will help you. The program is written in delphi and Dede is the tool that will help us. This is a amazing tool, it will help you to easily identify the way for the final goal.
Load the crackme and take a look at the 'Forms' section. In this section you will find all the info related to tForm1 class (the main window of the crackme). In particular, you can see all the procedures called by the crackme:

OnClose = FormClose ; called when the window is closed
OnCreate = FormCreate ; called when the window is created
OnDestroy = FormDestroy ; called when the window is destroyed
OnKeyDown = FormKeyDown ; called when a key is pressed
OnPaint = FormPaint ; called when the window is redrawed
OnResize = FormResize ; called when the window is resized

Due to the fact that we need to find a sequence of keys, OnKeyDown seems to be the procedures we are looking for.
Ok, you go on the procedures section, where you can find all the procedures, and double click on OnKeyDown. You have all the code of the procedure in front of you.

Now, I suggest you to use your preferred debugger and try to understand what will happen when a key is pressed :-)

Regards,
ZaiRoN

I trted the method, and ran it in Olly and found a referance to "K"
and then soon got lost in the code.I will keep trying and thanks for the help.

Hi!

No need to go beyond the RET of this proc...
Also, what you had found is good, but not enough...

You might have gotten stuck or lost, but it is not that difficult, so don't dig too deep. On the other hand, maybe you have already solved this?

/Manko

I have found that I have to press K in order to even goto the check. So I press "K" .After that I get lost but have figured away to make BL=02 an by just pressing "K" I will goto the wormhole.
Here is how..

0043C46C 55 push ebp
0043C46D 8BEC mov ebp, esp
0043C46F 53 push ebx
0043C470 56 push esi
0043C471 8BF1 mov esi, ecx --move ecx wich is "k" to ESI
0043C473 8B5D08 mov ebx, [ebp+$08]

* Reference to Form1
|
0043C476 A114F04300 mov eax, dword ptr [$43F014]

* Reference to field Form1.OFFS_000C
|
0043C47B 8B400C mov eax, [eax+$0C]

* Reference to GlobalVar_0043F020
|
0043C47E A320F04300 mov dword ptr [$43F020], eax --move the number of times I have pressed a key to EAX
0043C483 833D20F0430005 cmp dword ptr [$43F020], +$05 -- Have I pressed 5 keys?
0043C48A 750C jnz 0043C498 -- If so End Process, End Program
0043C48C C60534F0430001 mov byte ptr [$43F034], $01

|
0043C493 E84872FCFF call 004036E0
0043C498 66833E4B cmp word ptr [esi], +$4B -- Compare the key I pressed to "K"
0043C49C 751A jnz 0043C4B8 -- If so do not jump
0043C49E F6C301 test bl, $01 -- change this to "mov BL,02"
0043C4A1 7415 jz 0043C4B8 --"NOP" this
0043C4A3 F6C302 test bl, $02
0043C4A6 7410 jz 0043C4B8
0043C4A8 803D2CF0430000 cmp byte ptr [$43F02C], $00
0043C4AF 7507 jnz 0043C4B8
0043C4B1 C6052CF0430001 mov byte ptr [$43F02C], $01
0043C4B8 FF0520F04300 inc dword ptr [$43F020]

* Reference to Form1
|
0043C4BE A114F04300 mov eax, dword ptr [$43F014]
0043C4C3 8B1520F04300 mov edx, [$43F020]

* Reference to field Form1.OFFS_000C
|
0043C4C9 89500C mov [eax+$0C], edx
0043C4CC 5E pop esi
0043C4CD 5B pop ebx
0043C4CE 5D pop ebp
0043C4CF C204 ret $04

if some one can find out where BL is changed in the code it would be of some help..But this way works.

Thanks for everyones help.

Hi,

You have solved the crackme, well done! But, we can solve the crackme without patching :-)

This is the syntax of FormKeyDown function: TForm1.FormKeyDown(Sender: TObject; var Key: Word; Shift: TShiftState);
we are interested in the last two parameters:
- Key, the key that is been pressed
- Shift, it can take many values but the more interesting are: ssShift, ssAlt and ssCtrl.
The value of bl is related to 'shift' parameter, in particular you have:
bl = 1 if shift is pressed (ssShift)
bl = 2 if alt is pressed (ssAlt)
bl = 3 if shift+alt is pressed
bl = 4 if ctrl is pressed (ssCtrl)
bl = 5 if shift+ctrl is pressed
and so on...

We have to pass these two checks:

CODE:0043C49E test bl, 1 ; checks if the first bit of bl is setted
CODE:0043C4A1 jz short loc_43C4B8 ; jump if it's not setted
CODE:0043C4A3 test bl, 2 ; checks if the second bit of bl is setted
CODE:0043C4A6 jz short loc_43C4B8 ; jump if it's not setted

The 'test' instruction performs a logical 'and' between the two operands, so, bl must have both first and second bit setted to 1: bl=00000011=03. If bl=03 and 'k' is pressed the crackme is solved :-)

ZaiRoN